pulumi-community #automation-api

automation-api

bored-table-20691

02/07/2022, 11:54 PM

Is there in the Automation API to specify the org a project is in?

ws, err := auto.NewLocalWorkspace(ctx, auto.Project(workspace.Project{
		Name:    tokens.PackageName("..."),
		Runtime: workspace.NewProjectRuntimeInfo("go", nil),,
	}))

Basically, how can I replace

…

to specify the fully qualified name of my project? I tried

myorg/myproject

but it doesn’t seem to take.

prehistoric-kite-30979

02/14/2022, 8:14 PM

Is it possible to use the automation api to read config that is encrypted?

await (await LocalWorkspace.createOrSelectStack({ stackName: 'staging', workDir: infraDir })).getAllConfig()

Throws an error:

stderr: error: could not decrypt configuration value: [400] Message authentication failed

curved-quill-94238

02/14/2022, 10:43 PM

Hello! I'm excited to get the Automation API up and running for my team---working on transitioning from Terraform to Pulumi right now. I just joined the Slack workspace, so please let me know if this is the wrong place to post this. I was able to preview/deploy/destroy a stack locally completely using the automation API, then when I went to run it in CI I needed to start using assumeRole (AWS) and ran into errors trying to get that config set up. One of them was "no default region set". So I'm back locally and trying to add in those parameters, but getting a weird error. I set the region in the stack config (when I just did the region it complained about

error configuring Terraform AWS Provider: AWS account ID not previously found and failed retrieving via all available methods. See <https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id> for workaround

, so I added the

skipRequestingAccountId

param)

stack_config: Dict[str, Any] = {
        "aws:region": ConfigValue(
            "us-east-1"
        )  
    }

    stack_config["aws:skipRequestingAccountId"] = ConfigValue(True)

Then I create the stack, which seems to work fine.

project_settings = ProjectSettings(
        name=project_name, runtime=project_runtime_info, backend=project_backend
    )
    stack_settings = StackSettings(
        secrets_provider=secrets_provider,
        encrypted_key=encrypted_key,
        config=stack_config,
    )
    workspace_options = LocalWorkspaceOptions(
        secrets_provider=secrets_provider,  # Eli (2/11/22): since secrets_provider is already given in the ProjectSettings, I don't know if it's needed in both places or if just one spot would be better. Unclear at the moment
        project_settings=project_settings,
        stack_settings={stack_name: stack_settings},
    )
    print(f"Stack Config before initialization: {stack_config}")  # allow-print
    stack = create_or_select_stack(
        stack_name,
        project_name=project_name,
        program=pulumi_program,
        opts=workspace_options,
    )

But then when I go to run

preview

I get an error that seems to potentially indicate that this config is creating a new provider that isn't being passed into my inline program (maybe)

+ pulumi:pulumi:Stack: (create)
    [urn=urn:pulumi:eli-test::my_project::pulumi:pulumi:Stack::my_project-eli-test]
Resources:
    + 1 to create
 stderr: error: could not validate provider configuration: 1 error occurred:
        * Attribute must be a single value, not a map

My inline program is just a simple creation of a bucket as I work to get the automation API framework up and running

def pulumi_program() -> None:
    s3.Bucket("bucket")

Am I somehow not telling my inline program to use the provider config created by my stack? or am I just going about this the wrong way to configure the provider? I don't have any special custom provider configuration settings I need right now, I just have a role ARN that I need to assume in CI that has the permissions to deploy changes)

sparse-intern-71089

02/15/2022, 11:16 AM

This message was deleted.

big-state-95297

02/16/2022, 9:22 AM

Question about passing config values in automation api. All examples I could find only use

aws:region

which is not explicitly read by any inline programs. I'm trying to pass-in some config values that need to be read using

config.require(...)

method and when I run the automation api program using

npm run start

, I see the error:

Error: Program run without the Pulumi engine available; re-run using the pulumi CLI

. I see that the stack-trace points to the line where we try to do

const config = new pulumi.Config()

. Is there another way we should be reading the config values when running output pulumi CLI?

crooked-pillow-11944

02/20/2022, 9:46 PM

Does somebody have an example of using the AWS Provider

default_tags

with pulumi automation api?

bumpy-agent-19616

02/21/2022, 4:21 PM

Hi guys, I have a node app that tries to create resources on Azure cloud as it could be seen below,

const projectName = "pulumi_over_http";
const createPulumiProgram = (content: string) => async () => {
    // Create a bucket and expose a website index document
    console.log("Resource group creation starts...")
    const resourceGroup = new azure.core.ResourceGroup('rg');
    console.log("Resource group creation ends...")

    console.log("Storage account creation starts...")
    const storage = new azure.storage.Account("storageaccount", {
        accountKind: 'StorageV2',
        accountReplicationType: 'LRS',
        accountTier: 'Standard',
        allowBlobPublicAccess: false,
        location: 'WestEurope',
        name: "storageaccount",
        resourceGroupName: resourceGroup.name,
    });
    console.log("Storage account creation ends...")

    console.log("Storage container creation starts...");
    const container = new azure.storage.Container(
    "storagecontainer",
    {
        containerAccessType: 'blob',
        name: "storagecontainer",
        storageAccountName: storage.name,
    });
    console.log("Storage container creation ends...");

    // Upload the files
    ["index.html", "404.html"].map(name =>
        new azure.storage.Blob(name, {
            contentType: 'text/html',
            // source: `./static/${page.name}`,
            name,
            storageAccountName: storage.name,
            storageContainerName: container.name,
            type: 'Block',
        }),
    );
};

const buildBaseRequestCopy = (
    baseRequest: BaseRequest,
  ) => ({
      ...baseRequest,
      purpose: 'pul',
    });

const init = async (
    kvName: string,
    baseRequest: BaseRequest, 
    stackName: string
) => {
    // await initBasicLocalWorkspaceConfig(kvName, baseRequest.environment, stackName);
    // await initAtlasLocalWorkspaceConfig(kvName, baseRequest.environment, stackName);

    // case AzureEnvVar.AZURE_CLIENT_ID:
    process.env.AZURE_CLIENT_ID = 'XXXXXXXXXXXX';
    process.env.AZURE_CLIENT_SECRET = 'XXXXXXXXXXXX'
    process.env.AZURE_TENANT_ID = 'XXXXXXXXXXXX'
    process.env.AZURE_CLIENT_OBJECT_ID = 'XXXXXXXXXXXX'
}

const baseRequest: BaseRequest = {
    application: 'atl',
    countryCode: '3se',
    domain: 'cld',
    environment: 'dev',
    project: '',
    team: '',
}

const request: AtlasRequest  = {
    ...baseRequest,
};

const baseRequestCopy: BaseRequest = buildBaseRequestCopy(
    baseRequest,
);

const stackName = 'atl-cld-dev-3se';
const kvName = 'hi3gkvpulatlclddev3se';
const strName = 'hi3gstgpulatlclddev3se'
// creates new sites
const createHandler: express.RequestHandler = async (req, res) => {
    const content = req.body.content as string;
    await init(kvName, baseRequestCopy, stackName);
        
    try {
        // create a new stack
        const stack = await LocalWorkspace.createStack({
            // generate our pulumi program on the fly from the POST body
            program: createPulumiProgram(content),
            projectName,
            stackName,
          },
          setLocalWorkspaceOptions(
            projectName,
            stackName,
            kvName,
            strName,
          ),
        );
        await stack.setConfig("azure:region", { value: "west-europe" });
        // deploy the stack, tailing the logs to console
        const upRes = await stack.up({ onOutput: <http://console.info|console.info> });
        res.json({ id: stackName, url: upRes.outputs.websiteUrl.value });
    } catch (e) {
        if (e instanceof StackAlreadyExistsError) {
            res.status(409).send(`stack "${stackName}" already exists`);
        } else {
            res.status(500).send(e);
        }
    }
};

// updates the content for an existing site
const updateHandler: express.RequestHandler = async (req, res) => {
    const stackName = req.params.id;
    const content = req.body.content as string;
    try {
        await init(kvName, baseRequestCopy, stackName);
        // create a new stack
        const stack = await LocalWorkspace.selectStack({
            // generate our pulumi program on the fly from the POST body
            program: createPulumiProgram(content),
            projectName,
            stackName,
          },
          setLocalWorkspaceOptions(
            projectName,
            stackName,
            kvName,
            strName,
          ),
        );
        await stack.setConfig("azure:region", { value: "west-europe" });
        // deploy the stack, tailing the logs to console
        const upRes = await stack.up({ onOutput: <http://console.info|console.info> });
        res.json({ id: stackName, url: upRes.outputs.websiteUrl.value });
    } catch (e) {
        if (e instanceof StackNotFoundError) {
            res.status(404).send(`stack "${stackName}" does not exist`);
        } else if (e instanceof ConcurrentUpdateError) {
            res.status(409).send(`stack "${stackName}" already has update in progress`)
        } else {
            res.status(500).send(e);
        }
    }
};
const ensurePlugins = async () => {
    const ws = await LocalWorkspace.create({});
    await ws.installPlugin("azure", "v4.6.0");
};

// install necessary plugins once upon boot
ensurePlugins();

// configure express
const app = express();
app.use(express.json());

// setup our RESTful routes for our Site resource
<http://app.post|app.post>("/atlas", createHandler);
app.put("/atlas/:id", updateHandler);

// start our http server
// start our http server
app.listen(1337, () => <http://console.info|console.info>("server running on :1337"));

most-lighter-95902

02/21/2022, 5:53 PM

Hi, I was using the Automation API to create a k8s job, but somehow the process seems to have cancelled midway. It’s now saying there’s

pending_operations

which is preventing me to re-run this. I know that I typically have to import/export the state to remove it manually when I’m working locally but how do I handle this as part of the Automation API?

most-lighter-95902

02/21/2022, 10:38 PM

Hi - is anyone planning to look into the “Avoid mutating global state when creating or selecting stacks” (https://github.com/pulumi/pulumi/issues/8186) ticket? I’m trying to use Automation API to provision resources for clients and this is a blocker - because parallel stack update is not possible due to this bug, my endpoints error out when two clients attempt to update their own respective stacks. Just wondering if this is anywhere in the horizon.

curved-quill-94238

02/22/2022, 3:39 PM

Does anyone know how to access values in the stack's

config

from inside an inline program (Python flavor)? I feel like there must be a way to do this, but I haven't found it in the docs, examples, or Stack Overflow I tried

pulumi.get_stack()

to see if I could then run

get_config

, but apparently

get_stack

returns just the

str

of the stack name, not the actual

Stack

object itself

crooked-pillow-11944

02/23/2022, 7:04 PM

How do I set the Kubernetes provider args (specifically kubeconfig) with Python?

high-leather-15669

02/24/2022, 8:07 AM

Hello, I want to create/manage stacks using Pulumi

automation API

using a Azure Storage Account. I can do this over pulumi CLI, but haven't found any docs/examples to do this over the Automation API, could someone be so kind to point it for me? Thank you!

miniature-leather-70472

03/01/2022, 2:22 PM

Has anyone had any thoughts or solutions on how to deal with failures that result in pending operations in the state file that block further deployments? When doing this interactively it's not the end of the world as you can go in and fix, but using the automation API to automate things, it means your stuck with failure until someone can manually go in and fix it. Is there any way to have it ignore or remove pending operations, given we do a refresh each time anyway

prehistoric-kite-30979

03/01/2022, 3:40 PM

When I add the following line to my inline program it complains with`Program run without the Pulumi engine available` :

const opts = { ...options.Azure('azure'), region: stack.region, resourceGroupName }

options.Azure is located in a separate TS package and does the following:

export function Azure(
    name: string,
    opts?: CustomResourceOptions,
    providerOptions?: ProviderOptions,
): AzureOptions {
    const subscriptionId = cfg.require('subscriptionId')
    const provider = new azure.Provider(
        name,
        {
            tenantId,
            subscriptionId,
            clientId: cfg.require('clientId'),
            clientSecret: cfg.requireSecret('clientSecret'),
        },
        providerOptions,
    )
    return {
        subscriptionId,
        provider,
        ...opts,
    }
}

I suspect it has something to do with it being in a separate package… any ideas?

fast-dinner-32080

03/02/2022, 9:09 PM

Hello, does anyone know the best way to handle a graceful stop/cancel of a running pulumi automation command in Python? I started down the path of spawning a thread which then runs the pulumi command and the main will handle a sigterm or keyboard interrupt. That seems to work for any part of the process except when a pulumi command is running (up, refresh, etc.). If a KeyboardInterrupt or sigterm happens when the pulumi command is running my thread stop workflow does start but unfortunately the pulumi cmd just throws a CommandError exception with the code of -2 which makes me think it is also canceling on the keyboard interrupt on it’s own but not gracefully stopping.

fast-dinner-32080

03/02/2022, 9:16 PM

Digging into the code a bit I see it just is starting a subprocess which makes sense now why it is terminating on the sigterm/ctrl+c (signal it sent to whole process tree) https://github.com/pulumi/pulumi/blob/master/sdk/python/lib/pulumi/automation/_cmd.py#L55 It seems like this could be enhanced to deal with a cancelation/async run that way it can be gracefully stopped rather than abruptly terminated.

fast-dinner-32080

03/03/2022, 4:25 PM

Logged this issue for the above: https://github.com/pulumi/pulumi/issues/9103

:thank-you: 1

most-lighter-95902

03/04/2022, 3:37 AM

Hi, I’m getting this error while running Automation API even though I’m setting the plugins:

most-lighter-95902

03/04/2022, 3:37 AM

error: no resource plugin 'aws-v4.23.0' found in the workspace or on your $PATH, install the plugin using `pulumi plugin install resource aws v4.23.0`

most-lighter-95902

03/04/2022, 3:37 AM

Here’s my code:

most-lighter-95902

03/04/2022, 3:37 AM

try {
    const stack = await LocalWorkspace.createOrSelectStack({
      stackName: `${organization}/${stackName}`,
      projectName: project,
      program,
    })
    
    await stack.workspace.installPlugin('aws', 'v4.36.0')
    await stack.workspace.installPlugin('kubernetes', 'v3.15.0')
  
    await stack.setAllConfig({ ...configMap })

    const upRes = await stack.up({ onOutput: <http://console.info|console.info> })
    return upRes
  } catch (err) {
    console.log('err in createOrUpdateStack', err)
    throw new Error('err in createOrUpdateStack')
  }`

most-lighter-95902

03/04/2022, 3:38 AM

I tried changing the installPlugin to

v4.23.0

but that didn’t work either

most-lighter-95902

03/04/2022, 3:38 AM

What am I doing wrong here?

most-lighter-95902

03/06/2022, 4:35 AM

Is it not enough to set PULUMI_ACCESS_TOKEN as a config value (secret)? I’m using Automation API to get a stack (see below code block) but it’s erroring out with

'error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions\n'

most-lighter-95902

03/06/2022, 4:36 AM

const stack = await LocalWorkspace.selectStack({
  stackName: `${organization}/${stackName}`,
  projectName: project,
  program: async () => { }, // don't need a program just to get outputs
})

await stack.setAllConfig({ 'PULUMI_ACCESS_TOKEN': 'xxx' })

const outputsRes = await stack.outputs()

most-lighter-95902

03/06/2022, 4:59 AM

If config secret is not the right place to set this value, what’s the best practice for setting this inside a docker container running on Kubernetes? Setting it as an env variable inside the cluster doesn’t seem the most secure?

most-lighter-95902

03/11/2022, 3:01 AM

I apologize if this is not a Pulumi specific issue but I think it’s supposed to work but it’s not while I’m running it via Automation API so I thought I’d ask here

most-lighter-95902

03/11/2022, 3:01 AM

I have the following ClusterRole in K8s:

most-lighter-95902

03/11/2022, 3:01 AM

Name:         DeveloperRole
Labels:       <http://app.kubernetes.io/managed-by=pulumi|app.kubernetes.io/managed-by=pulumi>
Annotations:  <none>
PolicyRule:
  Resources                    Non-Resource URLs  Resource Names  Verbs
  ---------                    -----------------  --------------  -----
  *                            []                 []              [*]
  *.apps                       []                 []              [*]
  *.autoscaling                []                 []              [*]
  *.batch                      []                 []              [*]
  *.extensions                 []                 []              [*]
  *.policy                     []                 []              [*]
  *.<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>  []                 []              [*]

most-lighter-95902

03/11/2022, 3:02 AM

I’m using a RoleBinding inside

jobs-flow

namespace this way: